Fraudsters have long been leveraging the shady corners of the internet to place malicious adverts, leading users to various scams. However, every now and again we see a campaign that goes mainstream and targets some of the world’s top brands.
Case in point, we recently uncovered a malvertising chain abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams.…
Lightning Framework is a new undetected Swiss Army Knife-like Linux malware that has modular plugins and the ability to install rootkits.
Year after year Linux environments increasingly become the target of malware due to continued threat actor interest in the space. Malware targeting Linux environments surged in 2021, with a large amount of innovation resulting in new malicious code, especially in ransomwares, trojans, and botnets.…
In April 2022, ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised Mac and exclusively uses public cloud storage services to communicate back and forth with its operators. Following analysis, we named it CloudMensis. Its capabilities clearly show that the intent of its operators is to gather information from the victims’ Macs by exfiltrating documents, keystrokes, and screen captures.…
Over the last month a crimeware group best known as 8220 Gang has expanded their botnet to roughly 30,000 hosts globally through the use of Linux and common cloud application vulnerabilities and poorly secured configurations. In a recent campaign, the group was observed making use of a new version of the IRC botnet, PwnRig cryptocurrency miner, and its generic infection script.…
This post is also available in: 日本語 (Japanese)
Executive SummaryOrganizations around the world rely on the use of trusted, reliable online storage services – such as DropBox and Google Drive – to conduct day-to-day operations. However, our latest research shows that threat actors are finding ways to take advantage of that trust to make their attacks extremely difficult to detect and prevent.…
Cybercriminals are always looking for innovative techniques to evade security solutions. Based on the Resecurity® HUNTER assessment, attackers are actively leveraging tools allowing them to generate malicious shortcut files (.LNK files) for payload delivery.
Resecurity, Inc. (USA), a Los Angeles-based cybersecurity company protecting Fortune 500’s worldwide, has detected an update to one of them most popular tools used by cybercriminals.…
日前,安天副总工程师李柏松接受《环球时报》记者的采访,披露了安天CERT近期发现的印度APT组织“Confucius”,及其针对巴基斯坦政府、军事机构的攻击活动(环球网文章详见今日第二条转载文章)。本篇为详细分析报告。
01 概述近期,安天CERT在对来自南亚次大陆方向的攻击事件进行追踪和梳理时,发现一起Confucius组织针对巴基斯坦政府、军事机构的攻击活动。
该组织的命名最早出自国外安全厂商Palo Alto Networks在2016年发布的分析报告[1],在该报告中,Palo Alto Networks披露了一个印度攻击组织的攻击活动,该组织攻击活动最早可追溯至2013年,其擅长使用鱼叉式钓鱼邮件、水坑攻击以及钓鱼网站,配合丰富的社会工程学手段对中国、巴基斯坦、孟加拉国等印度周边国家政府、军事、能源等领域开展以窃取敏感资料为目的的攻击活动。该组织在早期攻击活动中,曾借助具备留言互动功能的国际知名网站(例如Quora,类似我国的知乎),在公开的留言中夹带经过加密编码处理的木马远控服务器地址。该组织使用的木马被植入受害主机后,可从这类公开留言中获取内容,解密还原真正远控服务器地址。因此,木马在受害主机的首次网络访问行为会被视为正常的网页请求,而攻击者却可以借助这些国际知名网站持续更换远控地址或下发其他指令。Palo Alto Networks在相关恶意代码连接的一个Quora页面中,发现攻击者张贴的内容有“Confucius says”字样,即“孔夫子说”,或“子曰”,于是把这个组织称为Confucius。可见攻击者持续攻击中国过程中,也对中国的文化进行了研究。
在安天CERT发现的本次攻击活动中,该组织主要伪装成巴基斯坦政府工作人员向目标投递鱼叉式钓鱼邮件,通过钓鱼邮件内容诱骗目标下载、打开嵌入恶意宏代码的文档,从而向目标机器植入开源木马QuasarRAT、自研C++后门木马、C#窃密木马以及JScript下载者木马。
目前,该起攻击活动已引起巴基斯坦政府相关部门注意,其中巴基斯坦国家电信和信息技术安全委员会(NTISB)多次发出全国网络威胁预警[2][3],称攻击者正在向政府官员和公众发送模仿巴基斯坦总理办公室的虚假网络钓鱼电子邮件,因此要求政府官员和公众保持警惕,不要通过电子邮件和社交媒体链接提供任何信息。 本报告对从2021年至今的Confucius组织攻击活动、手法和工具做一定程度的总结,整体活动的特征可简要总结如下表:表1‑1 整体攻击活动特征总结
攻击时间
2021年至今
攻击意图
持续控制、窃密
针对目标
巴基斯坦
针对行业/领域
政府、军事机构
攻击手法
鱼叉邮件、钓鱼网站、利用第三方云存储服务存放恶意载荷
目标系统平台
Windows
诱饵类型
诱饵PDF文件、恶意宏文档、恶意RTF文件、恶意快捷方式等
开发语言
C++、VBScript、C#以及JScript
武器装备
C++后门木马,C#窃密木马、C#下载者木马、开源木马QuasarRAT、JScript下载者木马
02 活动分析 从2021年下半年至今,安天CERT陆续捕获到Confucius组织针对巴基斯坦进行攻击的样本文件,捕获样本的攻击时间线如下: 2021年6月份利用巴基斯坦军队牺牲者名单有关内容的恶意RTF文档进行攻击; 2021年8月份利用巴基斯坦军方关于Pegasus间谍软件警告内容的宏文档进行攻击; 2021年8月份利用巴基斯坦联邦税务局税务申报有关内容的宏文档进行攻击; 2022年2月份利用伪装成图片文件的恶意快捷方式文件进行攻击; 2022年2月份利用巴基斯坦政府员工COVID-19疫苗接种状态表、数字资产审计表等有关内容的宏文档进行攻击; 2022年5月份利用巴基斯坦总理办公室员工职位申请表有关内容的宏文档进行攻击; 2022年6月份利用巴基斯坦外交部有关内容的恶意宏文档进行攻击。 在此次攻击活动中,攻击者主要以巴基斯坦政府工作人员的名义向目标投递鱼叉式钓鱼邮件,钓鱼邮件的内容大多数与巴基斯坦政府有关,例如,以巴基斯坦总理办公室的名义要求政府工作人员更新COVID-19疫苗接种情况。图2‑1 钓鱼邮件
攻击者在钓鱼邮件的正文中、附件PDF文件中嵌入了不同类型的恶意链接,当目标查阅钓鱼邮件后便会被攻击者精心设计的邮件正文、PDF文件内容诱骗,从而点击恶意链接下载具有恶意宏代码的文档。 攻击者使用的恶意链接主要分为以下三种: ▶ 仿冒政府网站的钓鱼网站访问链接:攻击者利用HTTrack等网站克隆工具,搭建仿冒政府部门官网的钓鱼网站(如巴基斯坦总理办公室、巴基斯坦国防大学学报、巴基斯坦联邦税务局),当目标通过钓鱼网站访问链接访问钓鱼网站时,攻击者通过网站内容诱骗目标下载携带恶意宏的文档。 表2‑1 仿冒域名域名
仿冒对象
pmogov.info…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 continuously hunts for new and unique malware samples that match known advanced persistent threat (APT) patterns and tactics. On May 19, one such sample was uploaded to VirusTotal, where it received a benign verdict from all 56 vendors that evaluated it.…
Linux is a popular operating system for servers and cloud infrastructures, and as such it’s not a surprise that it attracts threat actors’ interest and we see a continued growth and innovation of malware that targets Linux, such as the recent Symbiote malware that was discovered by our research team.…
Some types of malware use DGA, obfuscate destination information, or contain fake C2 server information in order to hide the original C2 server. Others obtain C2 server information from legitimate servers. Recently, the malware used by Lazarus VSingle has been updated to retrieve C2 servers information from GitHub.…
We look into a recent attack orchestrated by the Black Basta ransomware group that used the banking trojan QakBot as a means of entry and movement and took advantage of the PrintNightmare vulnerability to perform privileged file operations.
Since it became operational in April, Black Basta has garnered notoriety for its recent attacks on 50 organizations around the world and its use of double extortion, a modern ransomware tactic in which attackers encrypt confidential data and threaten to leak it if their demands are not met.…
Resecurity, Inc. (USA) has identified a spike in phishing content delivered via Azure Front Door (AFD), a cloud CDN service provided by Microsoft. The identified resources in one of the malicious campaigns impersonates various services appearing to be legitimately created on the “azurefd.net” domain – This allows the bad actors to trick users and spread phishing content to intercept credentials from business applications and e-mail accounts.…
Since May 2022, ThreatLabz has been closely monitoring the activities of a threat actor which targets users in various US-based organizations with malicious voicemail-notification-themed emails in an attempt to steal their Office365 and Outlook credentials. The tactics, techniques, and procedures (TTPs) of this threat actor have a high overlap with a previous voicemail campaign that ThreatLabz analyzed in July 2020.…
This blog post was authored by Jérôme Segura
We have seen and heard less buzz about ‘Magecart’ during the past several months. While some marketing playbooks continue to rehash the same breaches of yesteryear, we have been wondering if some changes took place in the threat landscape.…
June 15, 2022
Volexity frequently works with individuals and organizations heavily targeted by sophisticated, motivated, and well-equipped threat actors from around the world. Some of these individuals or organizations are attacked infrequently or on an irregular basis, while others see a barrage of attacks nearly every week.…
A new remote code execution vulnerability called “Follina” has been found lurking in most Microsoft products. In this blog, we examine a potential attack vector as well as technical details of Follina, and chart the ability to detect this new vulnerability using both Qualys Multi-Vector EDR and Qualys Context XDR.…
PureCrypter is actively being developed by a threat actor using the moniker “PureCoder”.…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group.
Unit 42 actively monitors infrastructure associated with several APT groups. One group in particular, GALLIUM (also known as Softcell), established its reputation by targeting telecommunications companies operating in Southeast Asia, Europe and Africa.…
Introduction
On May 31, a critical unpatched vulnerability, which affects all confluence server and data center supported versions was reported to Atlassian by Volexity, a security company.
Atlassian warned their customers of the critical vulnerability on June 2 and issued a patch a day later. CISA added this vulnerability to their list of Known Exploited Vulnerabilities on June 3.…